Ruby/activejob/5.0.1
Declare job classes that can be run by a variety of queuing backends.
https://rubygems.org/gems/activejob
MIT
2 Security Vulnerabilities
Improper Access Control in activejob
Published date: 2018-12-05T17:24:27Z
CVE: CVE-2018-16476
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2018-16476
- https://github.com/advisories/GHSA-q2qw-rmrh-vv42
- https://access.redhat.com/errata/RHSA-2019:0600
- https://groups.google.com/d/msg/rubyonrails-security/FL4dSdzr2zw/zjKVhF4qBAAJ
- https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activejob/CVE-2018-16476.yml
- https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
- https://github.com/rails/rails/commit/970b0d754be7c71a760d9b807eea32297fd838e3
A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have.
Affected versions:
["5.2.1", "5.2.0", "5.2.1.rc1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4.rc1", "5.1.3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.0", "5.1.4", "5.1.3.rc3", "5.1.2.rc1", "5.1.1", "5.0.7", "5.0.6", "5.0.4", "5.0.3", "5.0.1.rc2", "5.0.0.1", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4.rc1", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc1", "5.0.0", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.8", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6.rc1", "4.2.5", "4.2.5.rc1", "4.2.4.rc1", "4.2.3.rc1", "4.2.2", "4.2.1.rc3", "4.2.1.rc1", "4.2.0", "4.2.10", "4.2.9.rc1", "4.2.8.rc1", "4.2.6", "4.2.5.2", "4.2.5.1", "4.2.5.rc2", "4.2.4", "4.2.3", "4.2.1", "4.2.1.rc4", "4.2.1.rc2"]
Secure versions:
[0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 5.0.7.1, 5.0.7.2, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.1.1, 5.2.2, 5.2.2.1, 5.2.2.rc1, 5.2.3, 5.2.3.rc1, 5.2.4, 5.2.4.1, 5.2.4.2, 5.2.4.3, 5.2.4.4, 5.2.4.5, 5.2.4.6, 5.2.4.rc1, 5.2.5, 5.2.6, 5.2.6.1, 5.2.6.2, 5.2.6.3, 5.2.7, 5.2.7.1, 5.2.8, 5.2.8.1, 6.0.0, 6.0.0.beta1, 6.0.0.beta2, 6.0.0.beta3, 6.0.0.rc1, 6.0.0.rc2, 6.0.1, 6.0.1.rc1, 6.0.2, 6.0.2.1, 6.0.2.2, 6.0.2.rc1, 6.0.2.rc2, 6.0.3, 6.0.3.1, 6.0.3.2, 6.0.3.3, 6.0.3.4, 6.0.3.5, 6.0.3.6, 6.0.3.7, 6.0.3.rc1, 6.0.4, 6.0.4.1, 6.0.4.2, 6.0.4.3, 6.0.4.4, 6.0.4.5, 6.0.4.6, 6.0.4.7, 6.0.4.8, 6.0.5, 6.0.5.1, 6.0.6, 6.0.6.1, 6.1.0, 6.1.0.rc1, 6.1.0.rc2, 6.1.1, 6.1.2, 6.1.2.1, 6.1.3, 6.1.3.1, 6.1.3.2, 6.1.4, 6.1.4.1, 6.1.4.2, 6.1.4.3, 6.1.4.4, 6.1.4.5, 6.1.4.6, 6.1.4.7, 6.1.5, 6.1.5.1, 6.1.6, 6.1.6.1, 6.1.7, 6.1.7.1, 6.1.7.10, 6.1.7.2, 6.1.7.3, 6.1.7.4, 6.1.7.5, 6.1.7.6, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.1, 7.0.2, 7.0.2.1, 7.0.2.2, 7.0.2.3, 7.0.2.4, 7.0.3, 7.0.3.1, 7.0.4, 7.0.4.1, 7.0.4.2, 7.0.4.3, 7.0.5, 7.0.5.1, 7.0.6, 7.0.7, 7.0.7.1, 7.0.7.2, 7.0.8, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.1, 7.1.2, 7.1.3, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.1.5.2, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 7.2.2.2, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2, 8.0.2.1, 8.1.0.beta1]
Recommendation:
Update to version 8.0.2.1.
Broken Access Control vulnerability in Active Job
Published date: 2018-11-27
Framework: rails
CVE: 2018-16476
CVSS V3: 7.5
There is a vulnerability in Active Job. This vulnerability has been assigned the CVE identifier CVE-2018-16476.
Versions Affected: >= 4.2.0 Not affected: < 4.2.0 Fixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1
Impact
Carefully crafted user input can cause Active Job to deserialize it using GlobalId and allow an attacker to have access to information that they should not have.
Vulnerable code will look something like this:
MyJob.perform_later(user_input)
All users running an affected release should either upgrade or use one of the workarounds immediately.
Affected versions:
["5.2.1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.0.7", "5.0.6", "5.0.4", "5.0.3", "5.0.1.rc2", "5.0.0.1", "5.0.0.rc2", "5.0.0.beta4", "5.2.1.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4.rc1", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc1", "5.0.0", "5.0.0.rc1", "5.0.0.racecar1", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1"]
Secure versions:
[0, 4.2.0.beta1, 4.2.0.beta2, 4.2.0.beta3, 4.2.0.beta4, 4.2.0.rc1, 4.2.0.rc2, 4.2.0.rc3, 4.2.11, 4.2.11.1, 4.2.11.2, 4.2.11.3, 5.0.7.1, 5.0.7.2, 5.1.0.beta1, 5.1.0.rc1, 5.1.0.rc2, 5.1.6.1, 5.1.6.2, 5.1.7, 5.1.7.rc1, 5.2.1.1, 5.2.2, 5.2.2.1, 5.2.2.rc1, 5.2.3, 5.2.3.rc1, 5.2.4, 5.2.4.1, 5.2.4.2, 5.2.4.3, 5.2.4.4, 5.2.4.5, 5.2.4.6, 5.2.4.rc1, 5.2.5, 5.2.6, 5.2.6.1, 5.2.6.2, 5.2.6.3, 5.2.7, 5.2.7.1, 5.2.8, 5.2.8.1, 6.0.0, 6.0.0.beta1, 6.0.0.beta2, 6.0.0.beta3, 6.0.0.rc1, 6.0.0.rc2, 6.0.1, 6.0.1.rc1, 6.0.2, 6.0.2.1, 6.0.2.2, 6.0.2.rc1, 6.0.2.rc2, 6.0.3, 6.0.3.1, 6.0.3.2, 6.0.3.3, 6.0.3.4, 6.0.3.5, 6.0.3.6, 6.0.3.7, 6.0.3.rc1, 6.0.4, 6.0.4.1, 6.0.4.2, 6.0.4.3, 6.0.4.4, 6.0.4.5, 6.0.4.6, 6.0.4.7, 6.0.4.8, 6.0.5, 6.0.5.1, 6.0.6, 6.0.6.1, 6.1.0, 6.1.0.rc1, 6.1.0.rc2, 6.1.1, 6.1.2, 6.1.2.1, 6.1.3, 6.1.3.1, 6.1.3.2, 6.1.4, 6.1.4.1, 6.1.4.2, 6.1.4.3, 6.1.4.4, 6.1.4.5, 6.1.4.6, 6.1.4.7, 6.1.5, 6.1.5.1, 6.1.6, 6.1.6.1, 6.1.7, 6.1.7.1, 6.1.7.10, 6.1.7.2, 6.1.7.3, 6.1.7.4, 6.1.7.5, 6.1.7.6, 6.1.7.7, 6.1.7.8, 6.1.7.9, 7.0.0, 7.0.0.alpha1, 7.0.0.alpha2, 7.0.0.rc1, 7.0.0.rc2, 7.0.0.rc3, 7.0.1, 7.0.2, 7.0.2.1, 7.0.2.2, 7.0.2.3, 7.0.2.4, 7.0.3, 7.0.3.1, 7.0.4, 7.0.4.1, 7.0.4.2, 7.0.4.3, 7.0.5, 7.0.5.1, 7.0.6, 7.0.7, 7.0.7.1, 7.0.7.2, 7.0.8, 7.0.8.1, 7.0.8.2, 7.0.8.3, 7.0.8.4, 7.0.8.5, 7.0.8.6, 7.0.8.7, 7.1.0, 7.1.0.beta1, 7.1.0.rc1, 7.1.0.rc2, 7.1.1, 7.1.2, 7.1.3, 7.1.3.1, 7.1.3.2, 7.1.3.3, 7.1.3.4, 7.1.4, 7.1.4.1, 7.1.4.2, 7.1.5, 7.1.5.1, 7.1.5.2, 7.2.0, 7.2.0.beta1, 7.2.0.beta2, 7.2.0.beta3, 7.2.0.rc1, 7.2.1, 7.2.1.1, 7.2.1.2, 7.2.2, 7.2.2.1, 7.2.2.2, 8.0.0, 8.0.0.1, 8.0.0.beta1, 8.0.0.rc1, 8.0.0.rc2, 8.0.1, 8.0.2, 8.0.2.1, 8.1.0.beta1]
Recommendation:
Update to version 8.0.2.1.
252 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 4.2.0.beta1 | MIT | 2014-08-20 - 02:34 | about 11 years | |
| 0 | MIT | 2014-05-20 - 18:10 | over 11 years |